psmod2
By:
psmod2

Nginx - SSL and Handling www / non.www domains

January 25, 2017 656 views
Nginx Dokku

Hi,

I'm writing to confirm my implementation of SSL and www.mydomain.com and mydomain.com (i.e. without www) is correct.

I have certs already purchased from name.com. I've got those in place and referenced in the default file in the path /etc/nginx/sites-enabled and checked against sudo nginx -t to ensure syntax is ok.

This looks like:

server {
  listen 443 ssl;

  server_name www.mydomain.com mydomain.com;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

  ssl_certificate /home/nodeapp/www.mydomain.com.chained.crt;
  ssl_certificate_key /home/nodeapp/www.mydomain.com.key;
}

I've added by www.mydomain.com and mydomain.com as domains, so dokku domains node app shows:

mydomain.com
www.mydomain.com

The command dokku certs:info mydomain shows the certificate details with:

=====> Common Name(s): 
=====>    www.mydomain.com
=====>    www.mydomain.com
=====>    mydomain.com

Then in my Cloudflare DNS settings (where i also have redirect from non www to www with https) I have 2 records:

A record -> mydomain.com -> points to my droplet IP
CNAME record -> www -> points to @ - is an alias of mydomain.com

Advice/confirmations would be appreciated.

Many Thanks

1 comment
  • Also to note - its fully working. I thought it was as the Cloudflare SSL was taking over. However now I've disabled it when going to the URL - I get too many redirects occurred.

    And In the sudo cat /var/log/nginx/error.log - I get the following:

    2017/01/25 14:11:22 [warn] 26662#26662: conflicting server name "www.mydomain.com" on 0.0.0.0:443, ignored
    2017/01/25 14:11:22 [warn] 26662#26662: conflicting server name "mydomain.com" on 0.0.0.0:443, ignored
    2017/01/25 14:11:22 [warn] 26665#26665: conflicting server name "www.mydomain.com" on 0.0.0.0:80, ignored
    2017/01/25 14:11:22 [warn] 26665#26665: conflicting server name "mydomain.com" on 0.0.0.0:80, ignored
    2017/01/25 14:11:22 [warn] 26665#26665: conflicting server name "mydomain.com" on 0.0.0.0:443, ignored
    2017/01/25 14:11:22 [warn] 26665#26665: conflicting server name "www.mydomain.com" on 0.0.0.0:443, ignored
    2017/01/25 14:11:22 [warn] 26665#26665: conflicting server name "www.mydomain.com" on 0.0.0.0:443, ignored
    2017/01/25 14:11:22 [warn] 26665#26665: conflicting server name "mydomain.com" on 0.0.0.0:443, ignored
    
4 Answers

@psmod2

The issue of "too many redirects" is an issue with CloudFlare. You'll need to login to the CloudFlare control panel and under their "Crypto" tab, make sure SSL is set to "Full (Strict)" and allow that to take effect.

As for the error log, if you could, please post the full server block(s) so I can take a look at them. You can comment out the domain and/or IP's if needed.

  • @psmod2

    If the change at CloudFlare doesn't work, and you happen to have a 301 redirect, try changing it to a 302 redirect and restarting NGINX. That should resolve the too many redirects error.

@jtittle

Thanks - changing that CloudFlare to "Full (Strict)" and a reload dokku deploy nodeapp seemed to help.

I'll keep an eye on that conflicting server name error. I'm not sure why that appeared.

Finally, regarding the SSLs. Is this a 2 step process? Namely, I need to :

1 - In my default file of path /etc/nginx/sites-enabled I add:

server {
  listen 443 ssl;

  server_name www.mydomain.com mydomain.com;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

  ssl_certificate /home/nodeapp/www.mydomain.com.chained.crt;
  ssl_certificate_key /home/nodeapp/www.mydomain.com.key;
}

2 - I also add the certs using dokku certs:add e.g.:

cat fullchain.pem > server.crt
cat privkey.pem > server.key
tar cvf certs.tar server.crt server.key 
dokku certs:add nodeapp < certs.tar

I ask because tutorials I've seen mention Step 1, but not Step 2

Thanks again!

@psmod2

In the directory where your server blocks are, do you happen to have an extra file that's marked with a tilde (~) or a temp file by chance? Or even a dot, or .save, or something of that nature?

From the looks of it, NGINX is trying to load your server block twice and when it does it's stating that the domain is already loaded from one configuration file so it's ignoring the second.

If NGINX is setup to load everything from /etc/nginx/sites-enabled, for example, it will attempt to load everything in that directory. So if there's an extra server block with the same information, you'll see the logs populated with that error.

Hi,

I did a ls -a at the path /etc/nginx/sites-enabled and there is only file file default.

Anywhere else this I need to be checking?

Could this be because I have 2 domains listed - i.e. if i do dokku domains myapp, i'm presented with www.mydomain.com and mydomain.com?

Have another answer? Share your knowledge.